Evidence of Program Execution Flashcards
Investigate areas of Program Execution
Define UserAssist
UserAssist is where GUI-based programs launched from the Desktop are tracked in the launcher on a Windows system
Provide the UserAssist Location
NTUSER.DAT HIVE (NTUSER.DAT\Software\Microsoft\Windiows\CurrentVersion\Explorer\UserAssist\GUID\Count
Describe BAM/DAM
Windows Background Activity Monitor - Provides full path of the executable file that was run on the system and the last execution date/time.
Provide the BAM/DAM location
WIN10 SYSTEM\CurrentControlSet\Services\bam(dam)\UserSettings\SID
Describe RecentApps
Program execution launched on Win10 system is tracked in the RecentApps key.
Provide the RecentApps location
WIN10 NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps
Describe ShimCache
Tracks executable’s file name, file size, last modified time. Any executable run on the Windows system can be found in this key. You can use this key to identify systems a specific malware was executed on.
Provide the ShimCache location
WIN7/8/10 SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Describe Jump Lists
Windows 7 to 10 task bar (Jump List) is engineered to allow users to jump or access items they have frequently or recently used.
Provide the Jump Lists location
WIN7/8/10 C:\USERPROFILE\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Describe Prefetch
Increases performance of a system by pre-loading code pages of commonly used applications.
Provide the Prefetch Location
C:\Windows\Prefetch
Describe AmCache.hve
Entry for every executable run, full path information.
Provide the AmCache.hve location
C:\Windows\AppCompat\Programs\Amcache.hve